From owner-freebsd-questions Thu Jan 17 2: 6:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 33D0E37B400 for ; Thu, 17 Jan 2002 02:06:22 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16R9TT-0005sm-00 for freebsd-questions@FreeBSD.org; Thu, 17 Jan 2002 12:08:47 +0200 From: Sheldon Hearn To: freebsd-questions@FreeBSD.org Subject: Re: IPv4 tunnelling In-reply-to: Your message of "Thu, 17 Jan 2002 10:32:41 +0200." <21074.1011256361@axl.seasidesoftware.co.za> Date: Thu, 17 Jan 2002 12:08:47 +0200 Message-ID: <22615.1011262127@axl.seasidesoftware.co.za> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [I've quoted a large portion of my previous message in case someone who wants to read this message deleted that one. If there's anyone who has lots of clue in this area, is too lazy to get stuck into this for free, but would help me for money, please send me private mail.] On Thu, 17 Jan 2002 10:32:41 +0200, Sheldon Hearn wrote: > Toward this goal, I now have the following configuration for testing: > > New firewall (public interface 196.31.7.199) > > gif0: flags=8051 mtu 1280 > inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff > physical address inet 196.31.7.199 --> 216.123.44.2 > > Old firewall (public interface 216.123.44.2) > > gif0: flags=8051 mtu 1280 > inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff > physical address inet 216.123.44.2 --> 196.31.7.199 > > I have the following IPFW rules that ensure that I should be able to > ping from the old firewall: > > add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14 > add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14 > > Similar rules exist on the new firewall. > > The new firewall has the following natd configuration: > > -redirect_address 21.0.21.3 196.31.7.202 > > Also, the new firewall has 196.31.7.202 configured as an inet alias on > the public interface. > > However, when I use ping to test the tunnel from the old firewall, I get > this: > > ping -S 216.123.44.2 216.123.44.3 > PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes > ping: sendto: Permission denied > > I'm pretty sure I need to do something more, configuration-wise, to get > packets to enter and exit the tunnel correctly. I'm not sure what I changed, but the ping test works now. However, I can't connect to port 80 on 216.123.44.3. I set up this IPFW rule to forward 216.123.44.3's traffic into the tunnel fwd 196.31.7.202 ip from any to 216.123.44.3 This relies on the following routing entry, which was created automatically when I set up the gif(4) tunnel: 216.123.44.3 196.31.7.202 UH 0 21 gif0 => tcpdump on the gif0 interface doesn't show any traffic on it at all while I try 'telnet 216.123.44.3 80' from a remote host. Help! :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message